Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2023 10:33
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://calcpcb.hasil.gov.my
Resource
win10v2004-20230221-en
General
-
Target
http://calcpcb.hasil.gov.my
Malware Config
Signatures
-
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings firefox.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2760 firefox.exe Token: SeDebugPrivilege 2760 firefox.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2760 firefox.exe 2760 firefox.exe 2760 firefox.exe 2760 firefox.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2760 firefox.exe 2760 firefox.exe 2760 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2760 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 1408 wrote to memory of 2760 1408 firefox.exe 84 PID 2760 wrote to memory of 1428 2760 firefox.exe 85 PID 2760 wrote to memory of 1428 2760 firefox.exe 85 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 4696 2760 firefox.exe 86 PID 2760 wrote to memory of 3816 2760 firefox.exe 87 PID 2760 wrote to memory of 3816 2760 firefox.exe 87 PID 2760 wrote to memory of 3816 2760 firefox.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://calcpcb.hasil.gov.my1⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" http://calcpcb.hasil.gov.my2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.0.495030507\1948533226" -parentBuildID 20221007134813 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97dadf21-6c68-4d98-be64-63d6140bc84f} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 1916 23a35c19558 gpu3⤵PID:1428
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.1.1512236854\721763942" -parentBuildID 20221007134813 -prefsHandle 2412 -prefMapHandle 2400 -prefsLen 21706 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {425f3b5a-bfc3-487e-8018-1cff0d41f537} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2424 23a27c72858 socket3⤵PID:4696
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.2.870223228\1432671504" -childID 1 -isForBrowser -prefsHandle 2820 -prefMapHandle 2796 -prefsLen 21854 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {04453371-e2e7-4263-995c-70220d3102d4} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 2980 23a38b0e458 tab3⤵PID:3816
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.3.816150113\645053342" -childID 2 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5415004b-b2e7-4d18-92a0-cf51963fb212} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 4004 23a39873858 tab3⤵PID:2512
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.4.1366157813\1381267335" -childID 3 -isForBrowser -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3af032ec-cb37-43a4-bdfb-feac3c65939a} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 4716 23a3b6d4158 tab3⤵PID:3208
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.6.246240094\472170995" -childID 5 -isForBrowser -prefsHandle 5268 -prefMapHandle 5272 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2678e32e-a834-49b5-a41d-6957bcb971da} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 5260 23a3b6d6858 tab3⤵PID:3172
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2760.5.1137336157\382455788" -childID 4 -isForBrowser -prefsHandle 5104 -prefMapHandle 5100 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1444 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9de99dba-28f9-41e5-be5c-bf0e82fa8abb} 2760 "\\.\pipe\gecko-crash-server-pipe.2760" 5112 23a3b6d5658 tab3⤵PID:2948
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\activity-stream.discovery_stream.json.tmp
Filesize143KB
MD5082558e90de44badee85037ef7d20ce5
SHA142802e31bd3af5ee5203739c2f96265165ff042f
SHA256bc94f5bad179f94a14ad4bfcb7943acc1b6ef7de6a1c6ed4eabe9865f723e0ea
SHA512cd6102fd2fcab0307a1bae1b6a125d41aacdc35d865bb8a84d4ed4c77b71417b98ee56e94cfa7471fc7c757e7a0ad1a6d14de1f3d47325dcc21641ca1df8d8a5
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\195576DF92B9C9698555571D55CF75B0700793C3
Filesize5KB
MD512b3c98b1207bfb312157dcaadf36616
SHA16fba432b71a84abc48b66e60ccb3e190e4fc40bf
SHA2567284ab5bb7905294ae9c19341dc5d02391134a6e254f9c6880c8e6bc20e44ec5
SHA5125f1946153a2565853c578f8ea4f08ad8abafee14213b397b07d9bffaf738031a46a8a9b20f4fba2aa4eb69d405bad44afd55d96d9237f62cab176b83bc35cb52
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\798941A17B06B3929085FE3F5407B44C40D096E7
Filesize235KB
MD502adf75c7a04a1e1e06151ad3205a45c
SHA106850612933f7adc2e8a9cfd0032b434b7ea7ec0
SHA25681703dc8e8c1c28822cf95372b383917758cda5052b32704cb56d22cc661b1bc
SHA512ad938e68c324448750534a1b4f686b5455c3e9909475c7e4dde122257686ec71e4f1e2b4284ce24b0cbab8f29e7748e77437eb84811df86f58ba3908a6e817b8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\F708EF6C09E50BA07D9CC5BE40AC6EBC6158B0C7
Filesize337KB
MD545582ae8c307174bf4d5e19808d923ea
SHA1ddd95765cff5dfdd3c9684f0a86120e3d683e313
SHA256ff29617c78fa61e338b667f9f944603062419ffe59e7395b7dcd4f6accf1035d
SHA512097c497c9ed467ca69a5eb89cd79d28442c07e3d02d4ccd6e3b7ffc9b42da23080b2e77f7f9d351a10324b1242bad39f266ca2c324a57bd0df8378256e21691e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\cache2\entries\FC661F60E4EC9901EA61B1C2A56216148F9CACC2
Filesize97KB
MD5262f067a1e15df1e2a0b69e7ef80f51e
SHA1d8b79199210a04b880a798a63b6665c6d6e7c0a8
SHA25693bfe3542c10140fcdeb892cf6f75549ad076d41f8684449a153c04962164d10
SHA512447a2c4ceb614c48b2406adf1bee6b969f557fd6c894831c3fc314c983c390ce10d997b35ada3f94f4764f165b00473e6b83e41afbea00e33f0bbd3fa46ae6f0
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bozzcyfh.default-release\safebrowsing-updating\ads-track-digest256-1.vlpset
Filesize54KB
MD54f9ef3d3a71d4cb49e623e3f4b7b1162
SHA1c2d65973b44b051d043475e9387fa7100514acbd
SHA25648ae004f3c542ac764dd5a1e894918ec4b250b5c1f7209256c191cae13106b1f
SHA512f7017204ad37ceedbff4e8b58ab4edac75748d2f36693e59ea9d9157f637d29b53c6405d994ac9fc62712f2574013e95c4817ff49229c78dcc23cac805b13ed7
-
Filesize
6KB
MD550c9957420e05f53f3bd8fa1ac5e9ec0
SHA1642450a3ed6ef2d6f3d6075177a36e5c524caccf
SHA256d3aaf504b89e42240d8da77e8b99debd24a590f2e5bb78d509f854dacfceefb4
SHA5128a075098e002bc2c2da5ebfa35da53f48f7fef7e1a584f4b570b57c511d05aaaf4146ee6f1cf18025a720b23d2a3928f913ff65bf0d8deab32ca21eeececb08f
-
Filesize
7KB
MD5c33c16e7fd3e50f1eceb20253d9acaba
SHA184ddf485538ef17d3a0817c7b1b2214222f69f6f
SHA256393779f75bee4649daacf47d0a2751e81e497f42f5b595f4d8ee078b32b92922
SHA512e818bcc0003d8ec9f2bc58d0aaed15655456efface2bc9aebf5054aa205c6e886a577dd4c4dcef8afab55895da80af1073a3073e8341036a3d3f8c71d610ef40
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD5bada2fe212cda5e4eca7f170ca12e1af
SHA1801cd10bc271384f07b41d1760b4b3a9e40d671b
SHA256a075115b3be7e715c282c784902d3ffee5d5ee4ff4577632a016423bb9f39b92
SHA512fdac43141e1f86e7ef1b579a80a13c991623637424c259a90ed2e4970576d35da7b26f160556c0fac3131463c45172789a1d585a65e78a702f9591f347d2896e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize3KB
MD5870084718cb6367f2e48bfa38eef9d30
SHA1ed96cb13344c5d943f46580b68f098eb6539ec10
SHA25631b1a46da358c02bf2c2e9be375bfd95e5366ce9ce5fc53657785da273b21d5d
SHA512b3b2a5e241d1e2f2633e936a7117b7d25355c763cf51dcc70d0a58564b488e33e4ca20a1e7c3206dc7d339a82c60eba82a5d3fb3e1d41838c7b0c71d70d5a85e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize2KB
MD562f3d1b180c7062d66dfa0d26d00ffd9
SHA180b1ac8ea2117a2bb75e24b0357eaaddcd930451
SHA2569794f9c21ad3999bc5843e71ee9df4987cfd152563a584a48b5185e9d9f1af64
SHA51296eaf90b4862b11725bc9aca11ae92d0121232771115f3255df61093872bbb3db88d913102915011c8f3dbfde3d2a122d06686141bb36de5de74c566957d4bcf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5b9de2ff2912e359fecedad9611316613
SHA15a52275b2e9040bbf3407f26179fefea0047c7db
SHA256fcac47f8a4f82eb94f5af10ef603e523448c683fff2ff37a81ed9cd819de3290
SHA512573d9a05d45ee57c04e576399a96fd1731fce643723d685e1d0b2b9cbc05228f10251741cd1ef4c1f7b148ca58c583ccda8a0e4d36a15ef86eecb7ff0b8dfa95
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5fb832a73e62311f57632fe33796f998d
SHA185bfe59495dee4c796643dd08c8e9ff032ef802f
SHA256715c22f23a9c3aa69ac5990858727f42619fc3594be82674ceaccccc05b8ac5d
SHA5121890f7de3b2964a94cc9e5ba79aab715b366914d3ccaed21960bcc20dba37f80fd0054f610ec27ef650f8fa82dda02f8c41685ced779869b7f965b0515367ec8
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bozzcyfh.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD5a3a783dae8a59ecb6fb7afc9740802e7
SHA1719e6d394e8509c296af9282ddb2e98d6cd3e75d
SHA256adf82ea661b4b6082ff7a59a5c6353c87bed145716a6d6f9f959a81a9c9ef7a4
SHA5126e52f3062b25624aeb6659b1a6daa034695b08f52b2ce3c7c5837c2ba0c569b24fd5e2b2b6b9f34819ef88906db275d8769693f9a0e3618e84c1c8cac57e31a1